Color me not surprised. The public has speculated for a while that the NSA runs a huge number of Tor exit nodes which essentially renders anonymity an illusion. If 5 governments collaborated, they could easily get 100,000 virtual Tor machines scattered across the globe with innocuous IP's. They might not have access to the stuff that's encrypted, but everything else (including the identity of the user) would be available.

Is the NSA trying to scare everyone into the open so they can monitor everyone who's "innocent" and go "Hey, Tor is nothing but a wretched hive of scum and villainy for the Internet! Someone should make it illegal!"

Is the NSA trying to scare everyone into the open so they can monitor everyone who's "innocent" and go "Hey, Tor is nothing but a wretched hive of scum and villainy for the Internet! Someone should make it illegal!"

As the Zen Master says, "We'll see."

Isn't it just a browser exploit? I recall before tor had the bundle, you could use any browser. It was just way harder to set up.

The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested. One poster on Cryptocloud's discussion board wrote, "It's psyops—a fear campaign…They want to scare folks off Tor, scare folks off all privacy services."

Either explanation would be plausible. Those folks don't like anonymous internet access, and they are talented in Malware.

Considering the target was suspected to be outside the US, the NSA would be the correct spying agency to use. They and the FBI refer things back and forth all the time. They also have all the hardware required to do this kind of thing.

Making everyone think twice about using a more secure system is a nasty psyop move. But if you have access to the raw traffic data, watching how the stream of packets from a single IP changes over time can be a good way to flag individuals as "suspect" and move to deeper surveillance techniques. If this announcement made you change your behavior, you're now a suspect. Congrats.

Is the NSA trying to scare everyone into the open so they can monitor everyone who's "innocent" and go "Hey, Tor is nothing but a wretched hive of scum and villainy for the Internet! Someone should make it illegal!"

As the Zen Master says, "We'll see."

Isn't it just a browser exploit? I recall before tor had the bundle, you could use any browser. It was just way harder to set up.

Yes, it's just a browser exploit-- one targeted at Tor Browser Bundle users on Windows. That would be most casual Tor users with limited tech skills, most likely.

Is the NSA trying to scare everyone into the open so they can monitor everyone who's "innocent" and go "Hey, Tor is nothing but a wretched hive of scum and villainy for the Internet! Someone should make it illegal!"

As the Zen Master says, "We'll see."

Actually, I was thinking of making TOR my default path to the internet. Let them chase me down and watch me read ... Ars.

My guess would be that the ip address was a mistake. It's probably a leftover from an early version of the exploit and they forgot to replace the hard coded ip with something else. The NSA doesn't generally advertise their actions. As we have seen, too much attention on what they are doing causes diplomatic backlash. Even if they are operating within their mandate, other nations don't like hearing that their people are being spied upon and it is embarrassing to those governments that it is occurring even though every nation spies on each other none of them wants to deal with a public outcry over it unless they can see that it embarasses someone else far more than them.

I've already bought a bushel of thumb drives. Every single day news comes out demonstrating the privacy landscape is worse than the day before. By (consults calendar - a paper one) October I'll be cowering in the corner, covered in tinfoil.

Some have questioned why Tor's NoScript does not disable javascript by default. To a point, I can understand the rationale of keeping it enabled.

But I can't figure why the heck the Tor bundle does not disable iframe/frame tag and other embedded objects (flash, silverlight, java) by default. Most web pages work fine without these, and the upshot is quite improved security. <i>That</i> I find weird.

Whistleblowers are NSA's (and its friends) biggest threats. This will cause potential whistleblowers shying away from leaking (not all whistleblowers are ready to forsake anonymity.) I often suspect there are even more damaging stuff waiting to be leaked than what has been leaked so far.

Whistleblowers are NSA's (and its friends) biggest threats. This will cause potential whistleblowers shying away from leaking (not all whistleblowers are ready to forsake anonymity.) I often suspect there are even more damaging stuff waiting to be leaked than what has been leaked so far.

I suspect the US Postal service's public drop boxes will get more use.

It's unfortunate that one result of all this secrecy is the number of people who no longer trust the government. At least some of these people will be protecting themselves against perceived surveillance with increased use of security functions like full disk encryption.

Innocent people with nothing to hide (me, for example) will be routinely encrypting hard drives and files stored in "the cloud" not because I'm concerned with what the spies might find, but because I'm creeped out by the fact that they're looking. As things like FDE become more widely used, they'll also become better documented, easier to use, and more routine, making it more and more difficult for the watchers.

I guess I think that this is a good thing, because we shouldn't be subject to suspicionless surveillance anyway. But the situation is creating a community of those looking to protect themselves, and that's going to make it easier for low-level bad actors to do the same.

I wonder if perhaps it could be a calling card of a different sort - lets apply Occam's razor and remove the complicated conspiracy ideas layered with (some times founded) paranoid surveillance worries and look at the case.

Perhaps when deciding to use this exploit, the planners wanted to ensure it was clearly a LEA effort focused on this particular child porn attack. Kind of like wearing those blue blazers labeled "FBI" making the subsequent fact finding missions easier when they bring it to court.

Sad thing is, most Americans just don't care about all of this. The more that comes out, the more sickened I am. If this (everything that is going on) is not an infringement on our personal liberty, I do not know what is.

Perhaps there is a Snowdenesque employee who fears solitary confinement that "left" the mistake in, expecting it would be found? Guess I am hoping some other employees of NSA and its minions have a sense of outrage at what they have done.

Silly me. I thought there was some kind of law in the US that forbade injecting malware into other people's computers. Clearly if the government does it then it must be OK for everyone.

There are laws against it. There also laws allowing it.We'll need to learn more about the specifics to determine under which context this particular action was done.

My point is that despite being embroiled in some very overtly un-democractic activity, the NSA does do some legitimate work ... All the more reason why the notion of what is considered "National Secret" needs a SERIOUS overhaul in Western Nations - the premise that a Democracy can function when a significant portion of Executive policy and decision making is done based on and within a CLASSIFIED regime is flawed.

Is the NSA trying to scare everyone into the open so they can monitor everyone who's "innocent" and go "Hey, Tor is nothing but a wretched hive of scum and villainy for the Internet! Someone should make it illegal!"

As the Zen Master says, "We'll see."

If the US government wanted to fight Tor, they have easier methods available to them. "Not throwing money at it" would be a start. Maybe they shouldn't have developed it in the first place.You do know that Tor was developed in a US Navy lab with DARPA support and gets 80% of its budget from the US government, right?

I've already bought a bushel of thumb drives. Every single day news comes out demonstrating the privacy landscape is worse than the day before. By (consults calendar - a paper one) October I'll be cowering in the corner, covered in tinfoil.

My guess would be that the ip address was a mistake. It's probably a leftover from an early version of the exploit and they forgot to replace the hard coded ip with something else. The NSA doesn't generally advertise their actions. As we have seen, too much attention on what they are doing causes diplomatic backlash. Even if they are operating within their mandate, other nations don't like hearing that their people are being spied upon and it is embarrassing to those governments that it is occurring even though every nation spies on each other none of them wants to deal with a public outcry over it unless they can see that it embarasses someone else far more than them.

I disagree with your thinking. It is to the NSA's vested interest to allow "leaks" such as this to occur as Congress is considering reining in their powers. "Accidentally" disclosing their handiwork while busting child pornographers is a timely move on their part. It gives legislators "cover" for voting against reining in their powers.

Otherwise, why screw up in this manner? They're not that stupid. This slip-up, simply put, is an intentional action designed to influence upcoming legislation and votes.

The real message to all concerned should be that if this can be done to child pornographers, it can just as easily be done to reporters or human-rights activists. Remember, most reporters and/or activists are not techies, and they don't usually possess the skills to secure their communications in any significant way. Generally, they are consumers of apps and programs, and care little, if any, about their inner workings. They are a sub-section of the population taking high risks yet simultaneously highly vulnerable to exploitation.

It's interesting that one part of the government is proving adept at these types of hacks, while other parts of the same government frequently succumb to equally skilled but less well intentioned black hats. Maybe someday they'll put their expertise into tightening up the security of data held by agencies such as the IRS, Social Security Administration, etc.